New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 630050 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Aug 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Integer-overflow in _hb_ot_shape_fallback_kern

Project Member Reported by ClusterFuzz, Jul 21 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6343719926366208

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  _hb_ot_shape_fallback_kern
  hb_ot_shape_internal
  _hb_ot_shape
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=379622:379730

Minimized Testcase (0.10 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97IO65fQ_VT0ffd0aaYaDVtY5qvsNVqAfZidj2CVFuE1c6Jd8XlFK64ZOoPsgRZ4nKOeLDFjOqjmLQ0KpeZVPBou2dsQYxllmrLbxqR5KuZ8C1zrWZe7RaJ9MO_2fwG01fh-YYIZZp4fKb3Q-cAYXzIbek3gA?testcase_id=6343719926366208
 grid-row-start: 126;<style>
* { animation-name: cfpulse74;start); font: 18446744073709551559px fantasy;


Additional requirements: Requires HTTP

Filer: mummareddy

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Components: Tools>Test>FindIt>WrongResult Blink>Fonts
Labels: Te-Logged M-52
Owner: drott@chromium.org
Status: Assigned (was: Untriaged)
From findit tool:

Author: drott
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/4d16ac208962784ddd8744e7a5d4e43b7e24e8ff
Time: Tue May 03 01:37:45 2016
The CL last changed line 352 of file HarfBuzzShaper.cpp, which is stack frame 6.

Suspected Project: chromium
Suspected Component: Blink>Fonts

Comment 2 by drott@chromium.org, Jul 21 2016

Cc: behdad@chromium.org
Labels: -ClusterFuzz Clusterfuzz
I think we're clamping font size to
static const float maximumAllowedFontSize = 1000000.0f;
in FontBuilder.cpp - not sure if that's still too high for HarfBuzz or whether that clamping is not correctly applied or what is going wrong here.

Comment 3 by behdad@chromium.org, Jul 21 2016

If the font is fuzzed as well, this is expected.  At 1000000 font size, we use, IIRC, 8 bit of subpixel precision with hb-font, so that's 256000000 per EM.  If the kern value is large, that can easily overflow a int32.  That's expected and harmless.

Comment 4 by drott@chromium.org, Jul 21 2016

Can we clip this in HarfBuzz and avoid the overflow at a low cost, or are you suggesting a WontFix?

Comment 5 by behdad@chromium.org, Jul 21 2016

I'm leaning towards a WontFix.  It's definitely doable, but there's little point in it and will make the code ugly.

Maybe clamp fontsize at 10,000 instead of 1000,000?  That should take care of it for the most part.

Comment 6 by e...@chromium.org, Aug 22 2016

Clamping the font size to 10,000 seems reasonable to me.

Comment 7 by e...@chromium.org, Aug 23 2016

Status: Fixed (was: Assigned)
Components: -Tools>Test>FindIt>WrongResult
Labels: Test-Predator-Wrong
Project Member

Comment 9 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment